Blog
I like this
I don't like this

SIEM - it's not mainly about tools

Oct 09, 2011
Martin Kuppinger

Last week, IBM announced the acquisition of Q1 Labs. The same day, McAfee acquired its plans to buy NitroSecurity. Not that long ago, HP bought ArcSight. Obviously, SIEM vendors seem to be very attractive to the large players in IT. SIEM, the acronym of Security Information and Event Management, consists of two disciplines. One is about managing the security information from different sources, the other is about real-time analysis of that information to identity events.

Given the increasing security threats (no, it aren't just challenges anymore), having approaches in place which help in identifying security issues in time, is essential. Relevant data is found in a large number of sources. Collecting, aggregating, correlating, and analyzing  that data is supported by SIEM tools. However, with incredible masses of data, two issues become evident:

  • SIEM requires a strong knowledge about security to be able to understand security information from different systems and their relationship.
  • The art of SIEM is to - at best- identify exactly the critical situations which need to be handled. Not more, not less.
Given that real IT security experts are a rare species (at least compared to the demand), it isn't easy to address the first point. Working with MSSPs (Managed Security Service Providers) might be one option. However, IT security has to play a much more prominent role in education, even while that will close the gap between supply and demand only slowly, if at all.

The other point is that SIEM is not mainly about tools. SIEM tools are only as good as they are used. If you end up with too many events you have to analyze manually, you haven't won anything. If you end up with a situation in which some critical events aren't detected, you have lost. Configuring SIEM tools optimally is an endeavour which takes its time and which requires a lot of up-front thinking. It is about identifying the controls you should have in place, it's about understanding your security risks and the potential attacks, it is about understanding the relationship of different steps of more elaborated attacks like APTs (Advanced Persistent Threats).

So, as popular as SIEM might be: SIEM tools are nothing else than tools, until someone configures them right. So moving towards SIEM is not mainly about buying a tool, but about the controls, the configuration, the use of these tools. So don't feel save once you've bought a SIEM tool - feel a little saver once you've done your work around that tool. But never feel save!